Smartphone Security: Photos, Personal Data Left on “Wiped” Devices

A study published last week by Avast (AVST[1]) suggests the vulnerability of Android smartphones goes beyond malware. As it turns out, wiping the devices fails to remove sensitive data.

Source: Avast

Avast is in the business of selling security software, so anything the company says about smartphone security should be taken with a grain of salt. Still, the evidence that Avast offered is shocking and should serve as a wake-up call, especially to those who are selling their Android smartphone in preparation for buying the next must-have mobile device.

What They Found

Avast purchased 20 used smartphones[2] that sellers assumed had been wiped of personal data because they used Android’s “Factory Reset” option. This is what was found:

40,000+ photos (including 750+ photos of women “in various stages of undress” and more than 250 male nude selfies)

More than 1,000 Google (GOOG[3]) searches

750+ e-mails

250+ contacts

The personal identity of four of the previous device owners

One completed loan application

While this sample might not be representative of what data you have on your mobile phone, it serves as a stark reminder that selling your smartphone comes with risks. And this may be just the tip of the iceberg when it comes to smartphone security issues.

By the way, this particular problem isn’t present on iPhones. Apple (AAPL[4]) encrypts all user data[5] in iOS automatically with a strong 256-bit algorithm and when a user chooses to “Erase all Contents and Settings” the encryption key is removed, rendering the data inaccessible. If you’re handing down or selling an old smartphone to get a new one, an iPhone doesn’t have the same smartphone security issues as an Android device does, at least when it comes to someone grabbing your data.

Smartphone Malware Is Serious, Android Is Most Vulnerable

Kapersky Lab, a well-regarded security company, published a study in 2013 showing that 99% of all mobile threats target Android devices[6]. The company also noted an explosion in smartphone malware, going from 8 new threats per month in 2011 to an average of 6,300 per month in 2012. That trend is continuing, and many smartphone owners are wearing a cyber crime bulls-eye.

Why is Android so vulnerable[7] when it comes to smartphone security? There are multiple factors. Apple only allows app downloading through its own, curated App Store and the majority of iPhones are running the latest version of iOS while Android devices are often running older (and possibly more vulnerable) operating systems.

And then there’s the size of the target.

Why bother chasing iPhone users or the few people using Microsoft’s (MSFT[8]) Windows Phone when more than 80% of the smartphones being used are running Android?

Of course, we’ve seen this situation before…

We Haven’t Had the Big One Yet, But…

The PC world went through many waves of harmful viruses, malware and security attacks. Go back to 2006 — when BlackBerry (BBRY[9]) was the only smartphone game in town — and the news is full of headlines about PC security.

A 2006 piece by Joris Evers on CNET says the FBI pegged the cost of PC malware and other criminal attacks on U.S. businesses at $67.2 billion[10].

Despite the hundreds of millions of smartphones in use and the massive amount of personal, financial and corporate data they store or access on a daily basis, we haven’t yet had an incident of catastrophic smartphone malware.

However, given the size of the target and the casual approach attitude many people have toward using their mobile devices, it seems likely to be a matter of time.

Smartphone Security Includes Smart Habits

While Avast and its competitors would like you to install smartphone security software — preferably a product they sell — your own smartphone security starts with common sense.

Among the tips recommended for using any mobile device, regardless of the platform:

Lock your smartphone with a PIN or password and set it up to lock automatically

Update your operating system

Only download apps from official app stores like Google Play

Don’t jailbreak your device

If encryption is offered, use it

Back up your data

Be wary of untrusted Wi-Fi hotspots

And yes, you can install mobile security software (from a reputable company). It may not be perfect, but does provide protection from smartphone malware.

Selling Your Smartphone?

For many people, the release of a hot new device like the iPhone 6 means selling your smartphone and using the cash to offset the cost of buying that shiny new one. Avast says there are more than 80,000 used smartphones for sale online on any given day.

Given the findings, if you are an Android owner and are considering selling your smartphone, it may well be worth investing in third-party security software that can permanently erase the data on your device. And if you’re selling an iPhone, remember to “Erase all Contents and Settings” before handing it over to the new owner.

The bottom line? Whether you’re selling your old device on EBay (EBAY[11]), snapping photos, side-loading apps or looking for free Wi-Fi to do some mobile shopping, you ignore smartphone security at your own risk.

As of this writing, Brad Moon did not hold a position in any of the aforementioned securities.